How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec)
Oktober 2016, V1.00
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 1
Overview The principle is that the user connects to a wireless network, and the network must be open. An
open network with captive portal always starts with providing access to the network with an IP
address, and in this phase DNS implicitly allowed. The principle is to make an http-redirect at the
first http-request, and here the WLC will spoof the original destination IP address, and the browser
think that it communicates with the requested web page.
Redirect http on Cisco WLC is either to a local web page or to an external web page.
In both cases the web page must guide the user's web browser to send the login credentials to the
virtual interface (1.1.1.1). When login is delivered as https and the authentication may be made
locally from WLC itself or via a RADIUS. With RADIUS the login can be approved by Windows AD.
The process of external web authentication is illustrated here:
For authentication via RADIUS the Cisco WLC by default uses PAP and can be set to either PAP, CHAP
or MD5-CHAP under Security -> General.
DNS for www.dr.dk
http://www.dr.dk
Redirect = http://10.100.200.78/guest/cisco.php
Get = http://10.100.200.78/guest/cisco.php
Login page (skin)URL=http://10.100.200.78/guest/cisco.php?Switch_url=https://1.1.1.1/login.html
Submit login
DNSWLC Web Auth
Aruba Clearpass
RADIUS
www.dr.dk
http://www.dr.dk
Success page
https://1.1.1.1/login.html
10.100.200.78
PAP
Win-AD
LDAPLDAPS
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 2
Aruba Clearpass An overview of the service rule, enforcement policy and enforcement profile is:
The enforcement profile uses the attribute Session-Timeout to set the timer for the session.
The session time is stored on the Cisco WLC after successful authentication.
In this example the session-timeout is set to 1 hour (3600s), and the user is approved for 1 hour.
When reaching 1 hour the captive portal is displayed again, and the user must re-enter their login.
In practice the session timeout can be set to a higher value than 1 hour.
On Aruba Clearpass the configuration tasks are:
1. Authentication source from Windows AD.
2. Enforcement profile
3. Enforcement policy to set the session timeout
4. Service rule with authentication source, authentication method and enforcement policy
Enforcement policy”CWA-WLAN-enforcement”
Service”CWA-WLAN-service”
WLC(NAD)
NAS-Port-Type = Wireless-802.11Service-Type = Login-User
Authentication methodPAP
RADIUS:IETFSession-Timeout =
3600
Authentication sourceWindows AD
Enforcement profile”CWA-WLAN-profile”
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 3
Enforcement profile
Configuration -> Enforcement -> Profiles
Enforcement policy
Configuration -> Enforcement -> Policies
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 4
Service rule
Configuration -> Services
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 5
External web page on Aruba Clearpass
Configuration -> Pages - Web Logins
It is very important to select The controller will send the IP to submit credentials.
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 6
Cisco Wireless LAN Controller Start by checking that the Cisco WLC uses PAP.
Controller -> General
Next verification is that the installed certificate for Web Auth has the common name set to 1.1.1.1 or
the certificate has the SAN field set to 1.1.1.1 as an IP address.
Security -> Web Auth -> Certificate
In this example I have used a certificate from an internal PKI, and it can be used for testing purpose
only because the external users have not installed the root certificate from the internal PKI. In
practice a public certificate should be used for example from Verisign, GoDaddy, DigiCert etc.
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 7
Radius
Security -> RADIUS -> Authentication
In this example the Aruba Clearpass is the radius of the IP address 10,100,200.78.
Note: The name of the SSID can not be used as a condition for a service rule on Aruba Clearpass, and
this is because the Cisco WLC sends the index number of the SSID. If SSID index should be included in
a service rule, then Auth Called Station ID Type must be changed to a type where the SSID index is
included in RADIUS-request.
Security -> RADIUS -> Accounting
Access Control Lists
Security -> Access Control Lists - Access Control Lists
The ACL gives access to the website on Aruba Clearpass and DHCP. DNS is allowed by the WLC.
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 8
WLAN In this example it is a setup with the SSID name Ford, and the management interface is used for WiFi
clients and they obtain their IP address from this interface.
General
Security (open SSID), Layer 2
Security (Web Auth), Layer 3
Pre Authentication ACL restricts traffic to Aruba Clearpass until the user is authenticated.
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 9
Security (Radius), AAA Servers
Advanced
It is important to select the Allow AAA Override. This causes the session-timeout from RADIUS to
become the active session timer. If overide not selected, the value for Session Timeout on the Cisco
WLC (here 600) sets the session-timeout. For an open SSID the NAC State must be set to None.
Redirect af https
By default on Cisco WLC the redirect for https is disabled. You can enable https redirect with:
config network web-auth https-redirect enable
If selected there will always be a certificate warning because the DNS name in the URL does not
match with the Cisco WLC certificate for Web Auth (default CN = 1.1.1.1).
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 10
Verification Before approval
How to Cisco external web authentication
Bo Nielsen, CCIE #53075 (Sec) Side 11
After approval
Top Related